BackSwap malware: New banking Trojan uses unique techniques to drain your bank account

Security researchers have discovered a strain of new banking malware named BackSwap that employs unique techniques to target customers and empty their bank accounts. Banking trojans typically employ complex injection methods to drop malicious code monitor browsing activity or use DNS hijacking to redirect the user to a fake, cloned website and harvest login credentials.

As antivirus software and web browser developers becoming increasingly efficient at detecting and preventing process injection attempts, many cybercriminals have shifted towards easy-to-use, more profitable malicious ware such as ransomware or cryptominers.

ESET researchers have discovered BackSwap uses a "seemingly simple trick that nevertheless defeats advanced browser protection mechanisms against complex attacks."

The banking malware is deployed via malicious spam email campaigns that come with an attachment containing a heavily obfuscated JavaScript downloader from the Nemucod family. The payload itself is delivered as a modified version of a legitimate application, such as TPVCGateway, WinRAR Uninstaller, 7Zip or SQLMon, which is partially overwritten by the malicious payload.

"The intent is not to fool users into thinking they are running the legitimate app, but rather to increase the 'stealthiness' of the malware against analysis and detection," researchers said.

Once downloaded, the malware begins its nefarious activities by copying itself into a startup folder to establish persistence and then goes ahead with its malicious banking functionality.

"The malware does not interact with the browser on the process level at all, which means that it does not require any special privileges and bypasses any third-party hardening of the browser, which usually focuses on conventional injection methods," researchers explain. "Another advantage for the attackers is that the code does not depend either on the architecture of the browser or on its version, and one code path works for all."

Instead, BackSwap taps into key Windows message loops to look for specific URL-like patterns like "https" strings and signs of banking activity like bank-specific URLs and window titles in the browser. For example, the malware injects scripts into pages that are that the victim is using to initiate a wire transfer request or pay a utility account.

If banking activity is detected, the malware then injects malicious JavaScript designed for the corresponding targeted bank. The malicious script is either injected into the web page directly via the address bar or through the browser's JavaScript console without the user's knowledge. The injected script quietly replaces the recipient's bank account number with a different one so that the funds are sent to the attackers. Since the account owner is willingly making and authorizing the transfer, albeit to the wrong recipient, security features such as two-factor authorization are rendered useless.

This attack can be carried out against Google Chrome, Mozilla Firefox and Internet Explorer browsers - all of whom have been notified by ESET. Researchers noted the spam campaign is primarily targeting Polish banking customers with malicious scripts designed for five Polish banks - Pekao, IMG, PKO Bank Polski, Bank Zachodni WBK S.A. and mBank.

So far, the banking malware targets wire transfer amounts and payments within a certain range - between 10,000 and 20,000 PLM ($2800-$5600).

Since January, the developers behind BackSwap have been deploying other forms of malware including a cryptocurrency stealer that replaces wallet addresses in the clipboard. On March 13, the first version of the BackSwap banking malware was introduced. Since then, its developers consistently introducing new versions on a daily basis except for weekends.

ESET researchers note that BackSwap malware highlights the fact that "in the ongoing battle between the security industry and authors of banking malware, new malicious techniques do not necessarily need to be highly sophisticated to be effective."